CVE-2024-11109: 
WordPress vulnerability analysis and mitigation

The WP Google Review Slider WordPress plugin before version 15.6 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-11109. The vulnerability was discovered and reported by Bob Matyas, and was publicly disclosed on November 5, 2024. The issue affects the plugin's settings functionality where certain fields are not properly sanitized and escaped (WPScan).

The vulnerability exists in the template management functionality of the plugin, specifically at the path '/wp-admin/admin.php?page=wpgoogle-templatesposts'. The 'Custom CSS' field is not properly sanitized, allowing for the injection of malicious JavaScript code that gets stored and executed. The vulnerability has been assigned a CVSS 3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD, WPScan).

The vulnerability allows authenticated administrators to store and execute arbitrary JavaScript code on affected WordPress sites. This is particularly significant in environments where the unfiltered_html capability is disabled, such as in WordPress multisite installations. The impact is considered medium severity due to the high privilege requirement but potential for cross-site attacks (Wiz).

Users are advised to update the WP Google Review Slider plugin to version 15.6 or later, which contains the fix for this vulnerability (WPScan).